Hello I have got a feedback form on my website that when a customer writes a testimonial it gets automatically added to my testimonials.php page but have noticed that if a customers writes the word can't for example, the testimonial is not displayed on the website due to the character ' in the word betwen the n and t and have found out it is to do with the following line I think $query = "insert into testimonials(name,testimonial)values('$name','$testimonial')"; PHP: How would I change that line or insert a bit of coding so that characters like ' and others are displayed when words that have them characters in are added to the database table Kind regards Ian
before I give you the solution let me tell you 2 things. 1. Looks like you are using the mysql functions of php - don't use them. it is discouraged to use them use PDO or mysqli insted. ( check php.net for more details) 2. Never Never Never Ever trust peoples input. Always escape and check what they have provided you. and now to your answer $name = mysql_real_escape_string($name); $testimonial = mysql_real_escape_string($testimonial); $query = "insert into testimonials(name,testimonial)values('$name','$testimonial')"; PHP:
Hi Plussy, thank you so much for the advice will defiantly take on board your advice so you saying have the testimonial sent to myself to confirm and check it over and then have it added to the testimonials page Also thank you for the answer as well really appreciate it
That is right. You should check everything to make sure all GET, POST, FILES and COOKIE data is clean and as expected. like besides that it is bad practice if you have an url like this "search.php?q=tets&p=2" I would always make sure that q is escaped and that p is always a positive integer. Yes it means more work but in the long run you don't have to try to figure out how someone hacked your site.